Merge pull request #1192 from jiangliu/encrypt

Enhance file cache to encrypt data written to the cache file

api/src/config.rs

@@ -672,6 +672,15 @@ pub struct FileCacheConfig {
     /// Deprecated: disable index mapping, keep it as false when possible.
     #[serde(default)]
     pub disable_indexed_map: bool,
+    /// Enable encryption data written to the cache file.
+    #[serde(default)]
+    pub enable_encryption: bool,
+    /// Enable convergent encryption for chunk deduplication.
+    #[serde(default)]
+    pub enable_convergent_encryption: bool,
+    /// Key for data encryption, a heximal representation of [u8; 32].
+    #[serde(default)]
+    pub encryption_key: String,
 }
 
 impl FileCacheConfig {

docs/samples/blob_cache_entry_configuration_v2.toml

@@ -125,6 +125,9 @@ validate = true
 
 [cache.filecache]
 work_dir = "."
+enable_encryption = true
+enable_convergent_encryption = true
+encryption_key = "fc4a7db5614afc2f400e9478bebed1aefdbc9d7cd03210b84f144683a7a6fd1a"
 
 [cache.fscache]
 work_dir = "."

docs/samples/configuration_v2.toml

@@ -120,6 +120,12 @@ type = "filecache"
 compressed = true
 # Whether to validate data read from the cache.
 validate = true
+# Enable encryption data written to the cache file.
+enable_encryption = true
+# Enable convergent encryption for chunk deduplication.
+enable_convergent_encryption = true
+# Key for data encryption, a heximal representation of [u8; 32].
+encryption_key = "fc4a7db5614afc2f400e9478bebed1aefdbc9d7cd03210b84f144683a7a6fd1a"
 
 [cache.filecache]
 work_dir = "."

rafs/src/metadata/cached_v5.rs

@@ -733,6 +733,10 @@ impl BlobChunkInfo for CachedChunkInfoV5 {
         self.flags.contains(BlobChunkFlags::COMPRESSED)
     }
 
+    fn is_encrypted(&self) -> bool {
+        false
+    }
+
     fn as_any(&self) -> &dyn Any {
         self
     }

rafs/src/metadata/direct_v5.rs

@@ -842,6 +842,10 @@ impl BlobChunkInfo for DirectChunkInfoV5 {
             .contains(BlobChunkFlags::COMPRESSED)
     }
 
+    fn is_encrypted(&self) -> bool {
+        false
+    }
+
     fn as_any(&self) -> &dyn Any {
         self
     }

rafs/src/metadata/direct_v6.rs

@@ -1424,6 +1424,13 @@ impl BlobChunkInfo for DirectChunkInfoV6 {
             .contains(BlobChunkFlags::COMPRESSED)
     }
 
+    fn is_encrypted(&self) -> bool {
+        let state = self.state();
+        self.v5_chunk(&state)
+            .flags
+            .contains(BlobChunkFlags::ENCYPTED)
+    }
+
     fn as_any(&self) -> &dyn Any {
         self
     }
@@ -1500,6 +1507,10 @@ impl BlobChunkInfo for PlainChunkInfoV6 {
         false
     }
 
+    fn is_encrypted(&self) -> bool {
+        false
+    }
+
     fn as_any(&self) -> &dyn Any {
         self
     }

rafs/src/metadata/layout/v5.rs

@@ -1621,6 +1621,10 @@ pub mod tests {
             self.flags.contains(BlobChunkFlags::COMPRESSED)
         }
 
+        fn is_encrypted(&self) -> bool {
+            false
+        }
+
         fn as_any(&self) -> &dyn Any {
             self
         }

rafs/src/metadata/md_v5.rs

@@ -241,6 +241,10 @@ impl BlobChunkInfo for V5IoChunk {
         self.flags.contains(BlobChunkFlags::COMPRESSED)
     }
 
+    fn is_encrypted(&self) -> bool {
+        false
+    }
+
     fn as_any(&self) -> &dyn Any {
         self
     }

rafs/src/mock/mock_chunk.rs

@@ -50,10 +50,6 @@ impl MockChunkInfo {
 }
 
 impl BlobChunkInfo for MockChunkInfo {
-    fn is_compressed(&self) -> bool {
-        self.c_flags.contains(BlobChunkFlags::COMPRESSED)
-    }
-
     fn chunk_id(&self) -> &RafsDigest {
         &self.c_block_id
     }
@@ -62,6 +58,14 @@ impl BlobChunkInfo for MockChunkInfo {
         self.c_index
     }
 
+    fn is_compressed(&self) -> bool {
+        self.c_flags.contains(BlobChunkFlags::COMPRESSED)
+    }
+
+    fn is_encrypted(&self) -> bool {
+        false
+    }
+
     fn as_any(&self) -> &dyn Any {
         self
     }

src/bin/nydus-image/unpack/pax/test.rs

@@ -70,39 +70,43 @@ impl MockChunkInfo {
 }
 
 impl BlobChunkInfo for MockChunkInfo {
-    fn is_compressed(&self) -> bool {
-        self.is_compressed
+    fn chunk_id(&self) -> &nydus_utils::digest::RafsDigest {
+        todo!();
     }
 
-    fn uncompressed_size(&self) -> u32 {
-        self.uncompress_size
+    fn id(&self) -> u32 {
+        todo!();
     }
 
-    fn uncompressed_offset(&self) -> u64 {
-        self.uncompress_offset
+    fn blob_index(&self) -> u32 {
+        todo!();
+    }
+
+    fn compressed_offset(&self) -> u64 {
+        self.compress_offset
     }
 
     fn compressed_size(&self) -> u32 {
         self.compress_size
     }
 
-    fn compressed_offset(&self) -> u64 {
-        self.compress_offset
+    fn uncompressed_offset(&self) -> u64 {
+        self.uncompress_offset
     }
 
-    fn id(&self) -> u32 {
-        todo!();
+    fn uncompressed_size(&self) -> u32 {
+        self.uncompress_size
     }
 
-    fn as_any(&self) -> &dyn std::any::Any {
-        todo!();
+    fn is_compressed(&self) -> bool {
+        self.is_compressed
     }
 
-    fn blob_index(&self) -> u32 {
-        todo!();
+    fn is_encrypted(&self) -> bool {
+        false
     }
 
-    fn chunk_id(&self) -> &nydus_utils::digest::RafsDigest {
+    fn as_any(&self) -> &dyn std::any::Any {
         todo!();
     }
 }

storage/Cargo.toml

@@ -36,7 +36,7 @@ fuse-backend-rs = "0.10"
 gpt = { version = "3.0.0", optional = true }
 
 nydus-api = { version = "0.2", path = "../api" }
-nydus-utils = { version = "0.4", path = "../utils", features = ["zran"] }
+nydus-utils = { version = "0.4", path = "../utils", features = ["encryption", "zran"] }
 nydus-error = { version = "0.2", path = "../error" }
 sha1 = { version = "0.10.5", optional = true }